Package: ftp.debian.org Severity: important User: [email protected] Usertags: remove X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:https-everywhere
Hi, please remove the source package https-everywhere and its corresponding binary package webext-https-everywhere from bullseye. I am the former maintainer of https-everywhere and was just informed [1](#1118030) that the current package in bullseye poses a security risk to users which cannot be fixed by the LTS team because a) https-everywhere is obsolete and discontinued b) upstream, the Electronic Frontier Foundation, apparently let the https-rulesets.org domain expire which was the source for up-to-date https-rules and a third party registered said domain. The browser addon obtained new rules from this domain and trusts it unconditionally. It appears https-rulesets.org redirects to a known malware site now. For users in bullseye this may pose a severe security risk. Since we cannot restore the old functionality, removal is the only viable option. [1] https://bugs.debian.org/1118030 Regards, Markus
